March 12, 2006

US Gov Helps Identity Thieves UPDATED

I annoy the lovely people down at 24 Hour Fitness mightily. The company issues membership cards you have to present to enter the gym. However, the membership card has no photo on it, so you have to present a photo ID as well. This annoys me. Mightily. Why don't they issue you a membership card with a photo on it, so you don't need to present a photo ID?

When I enter the gym, I make a huge drama out of having to show my drivers license as well as my membership card. While I'm doing this, they tell me that they'd be thrilled to photocopy my drivers license and stick it into a clear plastic pouch for me along with my membership card, so that I don't have to fish out my wallet every time.

Nowadays, I just say no, thank you, but occasionally I'll still bother to explain to them that:
1. Identity Theft is the US's fastest growing crime,
2. The information contained on my drivers license (or on a photocopy thereof) is all an identity thief needs to steal my identity for a multitude of purposes,
3. The whole point of photocopying my drivers license is to make it more easily accessible to me, which necessarily means it's more easily accessible to a pickpocket,
4. I've lost my gym membership card (which has my name and gym membership barcode on it and nothing else) twice and suffered no ill effects and I'd like to keep it that way.

I could also tell them (but never do) that 24 Hour Fitness's consumer base is in the 18-29-year-old and the 30-39-year-old groups (I belong, of course, to the latter. Yes, I know, you'd never have guessed). These are, respectively, the most, and second most identity thieved demographic groups. I could also point out that San Francisco is the seventh most identity-stealin' city in the country. (Data from here.) But I don't need to, because after two or three such encounters with me, any given staff member is apt to just roll their eyes and wave me in. Thus I get through my life, and, so far, my identity has never been stolen.

Too bad you can't do the same at border control.

You see, the US gov, that bevy of brains, has finally gotten around to adding RFID (Radio Frequency Identification) chips to the passports they're issuing, an action mandated by law in those rational days of 2002. RFID chips, which store all the information printed on your passports, are remotely readable, which means that anyone possessing the right technology can read the information in your passport as you walk by, without opening, or even touching your passport. It also means that anyone with the right technology can "eavesdrop" on the government reading your passport remotely. Basically, once your info is put on an RFID chip, you have no more control over who gets at it -- and neither does the government.

Right now the chips are only in diplomats' IDs (and that's scary enough!), but they'll be adding them to regular customers'-- I mean citizens' in October. In the Netherlands, a private company has already succeeded in hacking into Dutch passports, causing a bit of a ruckus. (You'd think there'd be a ruckus here, too, but then you'd think the same thing about hackable voting machines after 2000 and 2004, or about our president lying to us so that he could have his war ... and guess what? No ruckus.) My passport is good for the rest of the decade or so, but after that, will I have to bare my info to a world that is already four or five years more sophisticated at stealing it?

So, what to do? Some German hackers, concerned about the RFID tags in consumer products, developed an RFID-zapper, which deactivates any RFID tags it finds in the vicinity. But presumably, zapping your passport will only render it invalid. At the moment, all you can really do is protest. Here's an article with the names of organizations in the US and UK actively protesting the use of biometrics in such a manner.

I also might do some digging and see if I can find out what rights we have with regard to our passports, and if it's possible to refuse to allow our information to be put on an RFID chip and still get issued a passport. Does anyone out there know the law regarding passport rights?

UPDATE
I just saw this on the Making Light blog: this guy decided to test the theory that thieves could apply for your credit card using an application you tore up and threw in the trash. And yes, indeed, thieves can, even if you have them send the card to a different address and use a cell phone number for your contact number. Scary.

UPDATE II
Oh, great. Thanks to Jose's tip in the comments below, I just read that RFID chips can carry viruses, although they don't spread from chip to chip, but rather attack the database. I agree with Jose that tech is the tech of da fewchoor, but, like lasic surgery, you should let other people do it first, and then wait twenty years, before forcing everyone to have it.

TrackBack

Comments

all's i can say, dear seelight, is that you're not only unusually interested in tech policy for a creative writer, but you've also got a solid grasp on how good tech policy is distinguished from bad tech policy.

be sure and let me know if you ever grow weary of the itinerant writerly life, and find a need or a want to develop a more square, yet admittedly more secure, career. i can think of a couple-few options for you that you may never have thought of, and that you'd do quite well at . . . hint: how do you think some of those folks at eff got their jobs, anyways? i'd love to talk with you about it sometime . . .

oh, but to answer your question, as far as i know, no one has an absolute right to a passport.

the case that has very ominous implications for this is gilmore v. ashcroft. this case is not reported, and the only citation i can find is 2004 WL 603530.

essentially, the plaintiff's suit claimed that being asked to show id before boarding a domestic flight an unconstitutional violation of 1st and 4th amendments, among others.

the federal court for the northern district of california dismissed the case, noting that the plaintiff's claim was "not based on a cognizable legal theory or [it pleaded] insufficient facts to support a cognizable legal claim." in other words, the court said that gilmore had no legal commplaint in his suit.

now, the ominous implications for your question: gilmore only dealt with showing id for domestic flights. i think it's pretty clear that the court would say that you can make a domestic flyer show id (based upon theories of administrative and constitutional law), you can make an int'l flyer bear whatever passport the dep't of state deems appropriate.

as such, there's probably no court in the country who would assert that us citizens have an unabridged right to a passport, but rather, that the right to a passport must be weighed against whatever the gov't says it needs to issue passports, including rfid.

don't like it? neither do i. but if you don't like it, then see my earlier comment. maybe you could actually do something about it, if you were willing to undergo a long, hard slog through a very unpleasant academic place . . . you've got the smarts to do it, at least . . .

Your beef with 24 Hour Fitness is right on the money — the kind of thing The Consumerist should run. (Also, if you're interested in security, generally, Bruce Schneier's is one of the best — check out the recent basketball story.

As for RFID and passports: yeah, RFID is still too open but it's going to get better as it is and has been a high profile technology.

That said, I wonder how you would feel about biometric identification?

After meeting an immigrant who was beaten into a coma for his working papers, I've come to believe that biometric proofs are the best compromise.

jose, after reading your story about abdel, i'm really sad. but i don't think biometric proofs will save the day. you can still be beaten into a vegetable for your corneas, or fingerprints, or your implant, or whatever it is you're carrying that has the biometric info on it.

i think the way identity is established now, vis a vis documenting guest workers, exposes those with the least resources to the most risk.

it will always be easier to steal a piece of paper than living tissue. if you're going to go through the trouble of cutting off someone's finger, you'll pick a very wealthy person. (how many times will you be able to use that finger? how many times can you use someone else's paper document?)

i think biometric proofs would help. nothing will solve the problem of evil people, though.

I had taken the sample drivers license temps' test online a couple of weeks ago and only missed one question. This one above. I was on the phone with my mom tonight and I was reading her the questions and she was taking the test.
You are absolutely right the information contained on my drivers license is accessible to a pickpocket!